当前位置: 代码迷 >> 驱动开发 >> 怎么调用别的驱动中的未导出函数
  详细解决方案

怎么调用别的驱动中的未导出函数

热度:38   发布时间:2016-04-28 11:09:13.0
如何调用别的驱动中的未导出函数?
我现在要写一个驱动,中间要调用别的驱动中的未导出函数
是否可以像ring3下那样,找到地址再call?
如何可以,请帮看看这段代码有问题吗
如果不行,那又要怎么样才能实现这样的目的呢?


//得到   KeyboardClassServiceCallback函数在内核内的地址
ULONG   GetKbdServiceCallBackAddr(PUCHAR   Base,   ULONG   Size,   ULONG   DriverEntry,   ULONG   uIATAddr,   ULONG   ImageBase)
{  
ULONG   uKbdServiceCallBackAddr   =   0;
ULONG   nRetCode   =   FALSE;
ULONG   i   =   0;
PUCHAR   Buffer   =   (PUCHAR)DriverEntry;
ULONG   OpcodeLen   =   0;
ULONG   KeyboardAddDeviceExRoutine   =   0;
PROCESS_ERROR(Size   >   DriverEntry   -   (ULONG)Base   +   0x1200);
__try
{
i   =   0;
while   (i   <   0x1000   )
{
if   (Buffer[i]   ==   0xFF   &&   //call   dword   ptr[xxxxx]
Buffer[i   +   1]   ==   0x15)
{
if   (   *(ULONG*)(Buffer   +   i   +   2)   ==   uIATAddr   )   //判断是否是调用IoGetDeviceObjectPointer函数
{
break;
}
}
OpcodeLen   =   GetOpcodeLen(Buffer   +   i);
PROCESS_ERROR(OpcodeLen);
i   +=   OpcodeLen;
}
PROCESS_ERROR(i   <   0x1000);

while   (i   <   0x1000)   //查找KeyboardAddDeviceEx函数地址
{
if   (Buffer[i]   ==   0xE8)
{
KeyboardAddDeviceExRoutine   =   (ULONG)Buffer   +   i   +   *(ULONG*)(Buffer   +   i   +   1)   +   5;
break;
}
OpcodeLen   =   GetOpcodeLen(Buffer   +   i);
PROCESS_ERROR(OpcodeLen);
i   +=   OpcodeLen;
}
PROCESS_ERROR(KeyboardAddDeviceExRoutine);
Buffer   =   (PUCHAR)   KeyboardAddDeviceExRoutine;
i   =   0;
while   (i   <   0x200)
{
if   (Buffer[i]   ==   0xF   &&   //Jnz   xxxxx
Buffer[i   +   1]   ==   0x84   &&  
Buffer[i   +   6]   ==   0x3B   &&   //cmp   eax,   ecx
Buffer[i   +   7]   ==   0xC1   &&
Buffer[i   +   8]   ==   0x0F   &&   //jnz   xxxxx
Buffer[i   +   9]   ==   0x85   &&
Buffer[i   +   14]   ==   0x68   &&   //push   KbdServiceCallBack
Buffer[i   +   20]   ==   0xE8   //call   KbdSendConnectRequest
)
{
uKbdServiceCallBackAddr   =   *(ULONG*)(Buffer   +   i   +   14   +   1);
break;
}
OpcodeLen   =   GetOpcodeLen(Buffer   +   i);
PROCESS_ERROR(OpcodeLen);
i   +=   OpcodeLen;
}
PROCESS_ERROR(i   <   0x200);
PROCESS_ERROR(uKbdServiceCallBackAddr);
uKbdServiceCallBackAddr   -=   ImageBase;
Buffer   =   Base   +   uKbdServiceCallBackAddr;
i   =   0;
while   (i   <   0x100)
{
if   (Buffer[i]   ==   0xFF   &&   //call   dword   ptr[xxxxx]
Buffer[i   +   1]   ==   0x15  
)
{
uKbdServiceCallBackAddr   =   (ULONG)(Buffer   +   i)   -   (ULONG)Base;
  相关解决方案